From 2f28a008c2964205bc1b818429d34ec6b776113a Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Fri, 25 Apr 2014 16:33:07 -0400 Subject: [PATCH 1/3] Cleared out static parts of config since it was causing issues --- openssh/files/sshd_config | 123 -------------------------------------- pillar.example | 1 + 2 files changed, 1 insertion(+), 123 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index f26f29d..b722ae2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -18,126 +18,3 @@ {%- endfor %} {%- endif %} {%- endfor %} - -# What ports, IPs and protocols we listen for -#Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -#Protocol 2 -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#Privilege Separation is turned on for security -#UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 3600 -#ServerKeyBits 768 - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: -#LoginGraceTime 120 -#PermitRootLogin yes -#StrictModes yes - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -#ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -#X11Forwarding yes -#X11DisplayOffset 10 -#PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -#AcceptEnv LANG LC_* - -#Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -{% if grains['os_family'] == 'RedHat' %} -UsePrivilegeSeparation yes # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9) -{% else %} -UsePrivilegeSeparation sandbox # Default for new installations. -{% endif %} -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -Banner /etc/ssh/banner - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/pillar.example b/pillar.example index cd89e7b..58a404c 100644 --- a/pillar.example +++ b/pillar.example @@ -12,6 +12,7 @@ sshd_config: LogLevel: INFO LoginGraceTime: 120 PermitRootLogin: yes + PasswordAuthentication: no StrictModes: yes RSAAuthentication: yes PubkeyAuthentication: yes From cdfab3953d47ab7c3f2bb97f05988a2fd184524d Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Sat, 26 Apr 2014 18:22:17 -0400 Subject: [PATCH 2/3] Define a line for each option. This provides a default option (according to the package-provided config file) for each option in the config. --- openssh/files/sshd_config | 101 ++++++++++++++++++++++++++++++++------ 1 file changed, 86 insertions(+), 15 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b722ae2..e56beac 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -1,20 +1,91 @@ -{% set sshd_config = pillar.get('sshd_config', {}) %} - # This file is managed by salt. Manual changes risk being overwritten. # The contents of the original sshd_config are kept on the bottom for # quick reference. # See the sshd_config(5) manpage for details -{% for keyword, argument in sshd_config.iteritems() %} - {%- if argument is sameas true %} -{{ keyword }} yes - {%- elif argument is sameas false %} -{{ keyword }} no - {%- elif argument is string or argument is number %} -{{ keyword }} {{ argument }} - {%- else %} - {%- for item in argument %} -{{ keyword }} {{ item }} - {%- endfor %} - {%- endif %} -{%- endfor %} +# What ports, IPs and protocols we listen for +Port {{ salt['pillar.get']('sshd_config:Port','22') }} +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +ListenAddress {{ salt['pillar.get']('sshd_config:ListenAddress','0.0.0.0') }} +Protocol {{ salt['pillar.get']('sshd_config:Protocol','2') }} + +# HostKeys for protocol version 2 +{% for host_key in salt['pillar.get']('sshd_config:',['/etc/ssh/ssh_host_rsa_key','/etc/ssh/ssh_host_dsa_key','/etc/ssh/ssh_host_ecdsa_key']) %} +HostKey {{ host_key }} +{% endfor %} + +#Privilege Separation is turned on for security +UsePrivilegeSeparation {{ salt['pillar.get']('sshd_config:UsePrivilegeSeparation','yes') }} + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval {{ salt['pillar.get']('sshd_config:KeyRegenerationInterval','3600') }} +ServerKeyBits {{ salt['pillar.get']('sshd_config:ServerKeyBits','768') }} + +# Logging +SyslogFacility {{ salt['pillar.get']('sshd_config:SyslogFacility','AUTH') }} +LogLevel {{ salt['pillar.get']('sshd_config:LogLevel','INFO') }} + +# Authentication: +LoginGraceTime {{ salt['pillar.get']('sshd_config:LoginGracetime','120') }} +PermitRootLogin {{ salt['pillar.get']('sshd_config:PermitRootLogin','no') }} +StrictModes {{ salt['pillar.get']('sshd_config:StrictModes','yes') }} + +RSAAuthentication {{ salt['pillar.get']('sshd_config:RSAAuthentication','yes') }} +PubkeyAuthentication {{ salt['pillar.get']('sshd_config:PubkeyAuthentication','yes') }} +AuthorizedKeysFile {{ salt['pillar.get']('sshd_config:AuthorizedKeysFile','%h/.ssh/authorized_keys') }} + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts {{ salt['pillar.get']('sshd_config:IgnoreRhosts','yes') }} +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication {{ salt['pillar.get']('sshd_config:RhostsRSAAuthentication','no') }} +# similar for protocol version 2 +HostbasedAuthentication {{ salt['pillar.get']('sshd_config:HostbasedAuthentication','no') }} +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +IgnoreUserKnownHosts {{ salt['pillar.get']('sshd_config:IgnoreUserKnownHosts','yes') }} + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords {{ salt['pillar.get']('sshd_config:PermitEmptyPasswords','no') }} + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication {{ salt['pillar.get']('sshd_config:ChallengeResponseAuthentication','no') }} + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication {{ salt['pillar.get']('sshd_config:PasswordAuthentication','yes') }} + +# Kerberos options +KerberosAuthentication {{ salt['pillar.get']('sshd_config:KerberosAuthentication','no') }} +KerberosGetAFSToken {{ salt['pillar.get']('sshd_config:KerberosGetAFSToken','no') }} +KerberosOrLocalPasswd {{ salt['pillar.get']('sshd_config:KerberosOrLocalPasswd','yes') }} +KerberosTicketCleanup {{ salt['pillar.get']('sshd_config:KerberosTicketCleanup','yes') }} + +# GSSAPI options +GSSAPIAuthentication {{ salt['pillar.get']('sshd_config:GSSAPIAuthentication','no') }} +GSSAPICleanupCredentials {{ salt['pillar.get']('sshd_config:GSSAPICleanupCredentials','yes') }} + +X11Forwarding {{ salt['pillar.get']('sshd_config:X11Forwarding','yes') }} +X11DisplayOffset {{ salt['pillar.get']('sshd_config:X11DisplayOffset','10') }} +PrintMotd {{ salt['pillar.get']('sshd_config:PrintMotd','no') }} +PrintLastLog {{ salt['pillar.get']('sshd_config:PrintLastLog','yes') }} +TCPKeepAlive {{ salt['pillar.get']('sshd_config:TCPKeepAlive','yes') }} +UseLogin {{ salt['pillar.get']('sshd_config:UseLogin','no') }} + +MaxStartups {{ salt['pillar.get']('sshd_config:MaxStartups','10:30:60') }} +Banner {{ salt['pillar.get']('sshd_config:Banner','/etc/issue.net') }} + +# Allow client to pass locale environment variables +AcceptEnv {{ salt['pillar.get']('sshd_config:AcceptEnv','LANG LC_*') }} + +Subsystem {{ salt['pillar.get']('sshd_config:Subsystem','sftp /usr/lib/openssh/sftp-server') }} + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM {{ salt['pillar.get']('sshd_config:UsePAM','yes') }} From 4b4f4b5d3dc1fd6db7f9a16bbf0a11f09af3269b Mon Sep 17 00:00:00 2001 From: matthew-parlette Date: Sun, 27 Apr 2014 14:52:58 -0400 Subject: [PATCH 3/3] Explicitly defined options as strings. This fixes an issue where PyYAML was converting yes and no into True and False in the generated sshd_config file. --- pillar.example | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/pillar.example b/pillar.example index 58a404c..1e46152 100644 --- a/pillar.example +++ b/pillar.example @@ -5,30 +5,30 @@ sshd_config: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - UsePrivilegeSeparation: yes + UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 ServerKeyBits: 768 SyslogFacility: AUTH LogLevel: INFO LoginGraceTime: 120 - PermitRootLogin: yes - PasswordAuthentication: no - StrictModes: yes - RSAAuthentication: yes - PubkeyAuthentication: yes - IgnoreRhosts: yes - RhostsRSAAuthentication: no - HostbasedAuthentication: no - PermitEmptyPasswords: no - ChallengeResponseAuthentication: no - X11Forwarding: yes + PermitRootLogin: 'yes' + PasswordAuthentication: 'no' + StrictModes: 'yes' + RSAAuthentication: 'yes' + PubkeyAuthentication: 'yes' + IgnoreRhosts: 'yes' + RhostsRSAAuthentication: 'no' + HostbasedAuthentication: 'no' + PermitEmptyPasswords: 'no' + ChallengeResponseAuthentication: 'no' + X11Forwarding: 'yes' X11DisplayOffset: 10 - PrintMotd: no - PrintLastLog: yes - TCPKeepAlive: yes + PrintMotd: 'no' + PrintLastLog: 'yes' + TCPKeepAlive: 'yes' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" - UsePAM: yes + UsePAM: 'yes' openssh: auth: